Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2

Intro to Novell® Privileged User Managerand Securing Novell Open Enterprise Server 2

Brett A. Berger Global Technical SupportNovell, Inc/[email protected]

Aaron Burgemeister Global Technical SupportNovell, Inc/[email protected]

mailto:[email protected]

mailto:[email protected]

© Novell, Inc. All rights reserved.2

• Introduction to Novell Privileged User Manager– Business Challenges– Novell Privileged User Manager solutions

• The Framework– Framework Components– Framework Deployment

• Command Control– Configuration - Rules– Configuration - Commands– Configuration - Scripts

Novell® Privileged User Manager


• Audit, Compliance, and Reporting– Overview

• Demo – Agent installation and registration– Patching Agents and Managers– Using NPUM to secure OES2

> eDirectory™

> Novell-tomcat> etc.

• Questions and Answers

Novell® Privileged User Manager(cont.)

Intro to Novell® Privileged User Manager


The IT Landscape is Changing

The risks and challenges of computing across multiple Linux/Unix environments must be eliminated.

Users should have unimpeded, secure and compliant access to the computing services they need to do their jobs right.

Computing should be secure and compliant.


Business challenges

Linux/UNIX Administrators require elevated (superuser) privileges to do their job

Uncontrolled superuser access leaves the data center open to back door entries

Audit Weakness– Rogue admins/users covering their tracks

Compliance and Reporting


App DeveloperDBA

Admin

Delegating Superuser Privileges

• Linux/UNIX admins require elevated (Superuser) privileges to do their jobs

Novell® Privileged User Manager can solve this

IT Manager System Admin

rootroo t

Security Admin


Uncontrolled Superuser Access

Uncontrolled Superuser access leaves the data center open to

Backdoor entry.

Novell® Privileged User Managercan solve this


Audit Weakness

Audit weakness – users covering their tracks.



Compliance and Reporting

Compliance and reporting user access.





• Control user access to root privileges

• Audit all user activity with 100% keystroke logging

• Simplify audit activity with the most relevant, context-based information

• Analyze potential threats based on policy-based risk ratings

The Framework


The Framework

• The Framework is made up of three primary components:

Framework Manager

1

Framework Console

2

Framework Agent

3


Framework Manager

Back Up Manager

Primary Manager

Agent

Agent

Agent

Audit

CommandControl

Compliance

Reporting

PackageManagerNov

ell ®

Priv

ilege

d U

se M

anag

er


Framework Console


Framework Agent

Back Up Manager

Primary Manager

Agent

Agent

Agent

System Information(optional)

CommandControl

Registry

Distribution

Store and Forward

Nov

ell ®

Priv

ilege

d U

se M

anag

er


Underlying Modular Architecture

Groups of Agents can be added to logical domains for load-balancing, redundancy and traffic segregation

Audit databases can be placed in multiple locations for redundancy and security

Multiple Managers provide fail-over capability and load-balancing.Internet

Command Control

Framework Console

Audit Manager

Port 443

Web Browser(Administrative Access) Port

29120Port29120

Port29120

Port29120

Port29120

Command ControlAudit Manager

Agent Agent Agent

Host to host communications

Agent

Port29120

Port29120

Port29120 Port

29120Port29120

Agent Agent Agent

Host to host communications

Command Control

Deploying Novell® Privileged User Manager


NPUM PrerequisitesAdmin Console requires Browser with Adobe Flash installed

Open ports 443 (manager) and 29120 (agents and manager)

Servers must be resolvable (DNS/hosts/etc)

Time in sync (use ntp)

For SUSE® Linux Enterprise Server (SLES) – See TID#7003992 - usrun reports /bin/ls: cannot read symbolic link /proc/$$/exe: Permission denied


ConfigurationManager

• Novell® Privileged User Manager 2.2.1 -– rpm -ivh novell-npum-manager-2.2.1-linux-2.X-XXX.rpm – Verify install in /opt/novell/npum/logs/unifid.log

• Login to https://ipaddress_of_framework_manager– User: admin– Pwd: novell– Default port of Framework Manager is 443– /opt/novell/npum/service/local/admin/connector.xml– <Connector ssl_ctx="https" port="443"mode="https"/>


Simple Deployment

AIXRedHat

OES2 SP2

Solaris

SLES 11

Step 1Install Framework Manager• Only one Framework

Manager is installed• Framework Manager can

be installed on any supported host operating system

Manager


Simple Deployment

AIXRedHat

OES2 SP2

Solaris

SLES 11

Manager

AIX

Step 2Pre-register Agents• Log onto Web Console• Enter the names of the

agents that will be added to this Framework.


ConfigurationAgents

• Installing and registering an NPUM Agent– rpm -ivh novell-npum-agent-2.2.1-linux-2.X-XXXX.rpm – Register the Agent

> sd145:/ # /opt/novell/npum/sbin/unifi regclnt register

Please provide the hostname or address for the framework manager : () 151.155.128.68Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: (sd145) Please provide the registered agent name for this agent: (sd145)


OES2 SP2

AIXRedHat

OES2 SP2

Solaris

SLES 11

Step 3Install Framework Agents• Each Framework Agent has a

unique installer for the platform.

• During the install process the Framework Manager address is entered together with valid Framework credentials to register the new Agent into the Framework.

• The Agent and Manager handshake and a trust relationship is established.

Manager Agent

Agent

Agent

Agent

Simple Deployment

Command Control



NPUMcontrolled

– User logs in with own non-privileged account– Commands authorized before being executed remotely– Known as ‘root delegation’

Non-controlled

Log in as root

Log in as aaron

submit user: rootrunuser: root

Command Controlauthorization DB

remote shell

remote shell

submit user: aaron

runuser: root


ConfigurationSetting up Rules

• Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run.

• Optional rule conditions. – The command being submitted– The user and host submitting the command– The user and host assigned to run the command– The time the command is submitted– etc.


ConfigurationSetting up Commands

• Commands– Commands

> novell-tomcat5*» Would allow all options after novell-tomcat5 » Examples: novell-tomcat5 start or novell-tomcat5 stop, etc

– Commands, using regular expressions> =~#^(|/etc/init.d/)novell-tomcat5(\s+|$)#

» Would allow /etc/init.d/novell-tomcat5 or novell-tomcat5 with any options afterwards.

» Examples: /etc/init.d/novell-tomcat5 start or novell-tomcat5 stop, etc


ConfigurationSetting up Scripts

• Scripts– In addition to commands, perl scripts can be added to rules to

do additional processing such as:

> Send an email when a command is run> Execute Run users profile> Define Illegal commands> Truncate stdin/stdout/sterr captured by KB


ConfigurationRunning Commands

• usrun – usrun [command]– usrun passes the command to the Command Control Manager and for

authorization. Command is allowed or denied based on configured rules.

– Examples: > usrun /etc/init.d/ndsd stop> usrun novell-tomcat5 restart

• Rush – usrun rush– Rush shell is based off the Korn (ksh) shell. Rush allows for complete

session capture. Configure Command risk.• Crush - Change users logon shell to /usr/bin/crush. Crush allows for

complete session capture, without granting superuser privileges.

Audit, Compliance, and Reporting


Audit/Reporting

• Independent audit events are sent to the configured Audit servers from each agent

• Audit events include the following– Capture (Full keystroke session playback)– Start time/End time– User, Host, Command– Authorized/Unauthorized


Compliance

• Compliance Auditor collects, filters and generates reports of audit data for analysis and sign-off by authorized personnel.

• Rules can be configured to pull any number of audit events matching a given filter at a specific interval.

• When an audit event is viewed, auditors can authorize the event, mark it as unauthorized, escalate it, or assign it to someone else for further review.

– Each change is recorded as an “Audit trail”• Automatic reports can be generated and e-mailed to

appropriate personnel


Workflow forNovell® Privileged User Manager

Each event record is color-coded according to the highest rated command risk

User ActivityValidate and secure user session

Add audit group and risk rating

Session event and keystroke log

Automated rules pull events into Compliance Auditor database according to pre-defined risk filters

Manager notified by e-mail each night of events waiting to be authorized

Manager logs into Compliance Auditor and authorizes events

Manager

Command Control

1

Rules AuditLog

ComplianceAuditor

2

34

5

Demo


DemoAgent install and registration

• Agent installation– rpm -ivh novell-npum-agent-2.2.1-linux-2.4-intel.rpm

• Agent must be entered into the GUI– Host | Select the desired domain | “Add Hosts”

• Agent registration – Please remember to register this installation with the

Novell Privileged User Manager using the command:

/opt/novell/npum/sbin/unifi regclnt register


DemoAgent install and registration

• Agent registration (client side)sles11-npum2:~ # /opt/novell/npum/sbin/unifi regclnt register

Please provide the hostname or address for the framework manager : () 151.155.130.142

Please provide the port number for the framework manager: (29120)

Please provide the hostname or address for this agent: () 151.155.128.131

Please provide the registered agent name for this agent: (sles11-npum2)

Framework manager: 151.155.130.142:29120

Agent hostname or address : 151.155.128.131

Agent name : sles11-npum2

Is this correct: (y)

Please enter the name and password of an account with permission to register this host.

User name: (admin)

Password:


DemoPatching Hosts

• Once the Agent has been installed, patches can be deployed through GUI to all registered hosts.

• Login to GUI | Hosts | select the desired host | Update Packages

• Patches may be applied on a single host or by domain, or by all hosts in the environment


DemoSecuring OES2 Services

• On OES2 Linux, most of the “services” such as eDirectory™, novell-tomcat5, LUM, etc must be configured and administered as root

• With Novell® Privileged User Manager, simple rules can be created to allow administrators of these services to run their commands with root privileges WITHOUT knowing roots password or logging in as root.


DemoSecuring OES2 Services (cont.)

• Sample rule to Start/Stop eDirectory™

• Begin Rule: eDirectory Stop/StartIf (command IN eDir Start/Stop AND user IN eDirAdminFull)Then Set Authorize: yes Set runUser = "root" Run Script: Execute RunUsers Profile() Stop if authorizedEnd IfEnd Rule: eDirectory Stop/Start


DemoSecuring OES2 Services (cont.)

From this example, user “bergerbr” which is apart of the eDirAdminFull group, logged in with normal privileges would be able to run “usrun /etc/init.d/ndsd stop” or “usrun /etc/init.d/ndsd start”

Question and Answers

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Documents

Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2